We consider the binary-LWE problem, which is the learning with errors problem when the entries of the secret vector are chosen from $\\{ 0, 1\\}$ or $\\{ -1, 0, 1 \\}$ (and the error vector is sampled from a discrete Gaussian distribution). Our main result is an algorithm for binary-LWE that first translates the problem to the inhomogeneous short integer solution (ISIS) problem, and then solves the closest vector problem using a re-scaling of the lattice. We also discuss modulus switching as an approach to the problem. Our conclusions are that binary-LWE is easier than general LWE. We give experimental results that will be of help when choosing parameters for binary-LWE to achieve certain security levels.

We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamper-proof hardware for universally composable secure computation. As our main result, we show an efficient oblivious-transfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then run an unbounded number of OTs. Our result yields what we believe is the most practical and efficient known approach for oblivious transfer based on tamper-proof tokens, and implies that the parties can perform (repeated) secure computation of arbitrary functions without exchanging additional tokens.

Motivated by this result, we investigate the minimal number of stateless tokens needed for universally composable OT/secure computation. We prove that our protocol is optimal in this regard for constructions making black-box use of the tokens (in a sense we define). We also show that nonblack-box techniques can be used to obtain a construction using only a single stateless token.

Bitcoin has achieved large-scale acceptance and popularity by promising its users a low-cost, anonymous, and completely decentralized exchange of transactions. However, recent incidents and observations are revealing the true limits of decentralization in the Bitcoin system. In this article, we show that the vital operations and decisions that Bitcoin is currently undertaking are not decentralized. More specifically, we show that a limited set of entities currently control

the services, decision making, mining, and the incident resolution processes in Bitcoin. We also show that third-party entities can unilaterally decide to \"devalue\" any specific set of Bitcoin addresses pertaining to any entity participating in the system. Finally, we explore possible avenues to enhance the decentralization in the Bitcoin system.

They defined several security notions for {\\PPE} and studied their relationship. They also proposed a concrete scheme which preserves

the orthogonality of encrypted vectors. The proposed construction is claimed to achieve the strongest security notion

of property preserving encryption, called {\\LoR} security. In this work, we take a critical look at the three security theorems in the context of {\\PPE} from~\\cite{PR12}. In particular, we show

that the Pandey-Rouselakis construction does not even satisfy the weakest notion of security for {\\PPE}. We also note that

their separation results between different notions of security for {\\PPE} stand vacuous in the absence of any concrete example. We fill up this gap in the separation results of~\\cite{PR12} by suggesting an example construction of

This paper analyses provable security proofs, using the EDL signature scheme as its case study, and interprets their benefits and drawbacks when applied to the real world.

Provable security has been an area of contention. Some, such as Koblitz and Menezes, give little credit to the potential extra security provided and argue that it is a distracting goal. However, others believe that an algorithm with a security proof is superior to one without it, and are prepared to accept the impact to performance that their use might involve. Goldreich has been notable for his defence of the security proof, and for his opposition to the view of Koblitz and Menezes.

This paper is designed to help the reader make their own decisions on security proofs. We achieve this by giving an introduction to the typical security model used, then give a description of the EDL signature scheme and its tight reduction to the CDH problem in the Random Oracle Model, then analyse the proof\'s assumptions, meaning, validity and overhead for real world security.

Dynamic Searchable Symmetric Encryption (DSSE) enables a client to encrypt his document collection in a way that it is still searchable and efficiently updatable. However, all DSSE constructions that have been presented in the literature so far come with several problems: Either they leak a significant amount of information (e.g., hashes of the keywords contained in the updated document) or are inefficient in terms of space or search/update time (e.g., linear in the number of documents).

In this paper we revisit the DSSE problem. We propose the first DSSE scheme that achieves the best of both worlds, i.e., both small leakage and efficiency. In particular, our DSSE scheme leaks significantly less information than any other previous DSSE construction and supports both updates and searches in sublinear time in the worst case, maintaining at the same time a data structure of only linear size. We finally provide an implementation of our construction, showing its practical efficiency.

Keyless Signatures Infrastructure (KSI) is a globally distributed system for providing time-stamping and server-supported digital signature services. Global per-second hash trees are created and their root hash values published.

We discuss some service quality issues that arise in practical implementation of the service and present solutions for avoiding single points of failure and guaranteeing a service with reasonable and stable delay. Guardtime AS has been operating a KSI Infrastructure for 5 years. We summarize how the KSI Infrastructure is built, and the lessons learned during the operational period of the service.

We present the Protected-IV construction (PIV) a simple, modular method for building variable-input-length tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthday-bound secure tweakable ciphers with performance competitive with existing birthday-bound-limited constructions. As part of our design space exploration, we give two fully instantiated PIV constructions, TCT1 and TCT2; the latter is fast and has beyond birthday-bound security, the former is faster and has birthday-bound security. Finally, we consider a generic method for turning a VIL tweakable cipher (like PIV) into an authenticated encryption scheme that admits associated data, can withstand nonce-misuse, and allows for multiple decryption error messages. Thus, the method offers robustness even in the face of certain sidechannels, and common implementation mistakes.

The security and privacy group (S&P) group at the Max Planck Institute for Software Systems is currently offering postdoc positions under the supervision of Michael Backes. The S&P group collaborates closely with the Center for IT-Security, Privacy and Accountability (CISPA) at Saarland University.

Please refer to the link below for a full description of the open positions.